Dynamic asymmetric authentication
All of the previously described static asymmetric procedures have certain disadvantages. These can be eliminated by making the authentication dynamic, which provides protection against the re-entry of data intercepted from earlier sessions. The usual practice is to use a random number as the input value for a cryptographic algorithm. Of course, this means that the card must contain an arithmetic processing unit that can execute the asymmetric cryptographic algorithm. Figure 4.51 illustrates a unilateral authentication using a global public key. If card-specific authentication keys are required, the procedure for the storage and authentication of cardspecific public keys described in Section 4.11.3 is necessary. As with symmetric authentication, the terminal generates a random number and sends this to the smart card. The card decrypts the random number using the secret key15 and then sends the result back to the terminal. The terminal holds the global public key, and it uses this key to encrypt the random number that it has received. If the result of this computation is the same as the random number that was previously sent to the card, the card has been authenticated by the terminal. The basic features of a mutual authentication procedure for the smart card and the terminal are analogous to the unilateral procedure that has just been described. However, a mutual authentication requires a relatively long time, due to the large amount of data that must be exchanged and the time-consuming asymmetric encryption algorithm. Consequently, it is presently used very rarely.

DIGITAL SIGNATURES
Digital signatures, which are often referred to as ‘electronic signatures’, are used to establish the authenticity of electronically transmitted messages or electronic documents. Verification of the signature can be used to determine whether the message or document has been altered. A signature has the property that it can be correctly produced by only one single individual, but it can be verified by anyone who receives the message – or at least, by any recipient who has previously seen the signature, or who has a copy available for comparison. This is also the essential characteristic of a digital signature. Only one person or one smart card can ‘sign’a document, but everyone can verify whether the signature is genuine. Given this required characteristic, asymmetric cryptographic techniques represent the ideal starting point. The message or document to be signed is usually at least several thousand bytes long. In order to keep the computation time for generating the cryptographic checksum within acceptable limits, the checksum is not computed over the entire data string. Instead, a hash value for the data string is first produced. Hash functions16 are, simply stated, one-way functions for data compression. This compression is not reversible, which means that the original data cannot be reconstructed from the compressed data. Since the computation of a hash value is very fast, hash functions are an ideal aid for computing digital signatures. The term ‘digital signature’ is usually only used in connection with asymmetric cryptographic algorithms, since the separation of the public and private keys makes such algorithms very suitable for use with digital signatures. Nonetheless, ‘signatures’ based on symmetric cryptographic methods are often used in practice. However, with such signatures it is only possible to verify the authenticity of a document if the secret key used to generate the signature is known. Such a ‘signature’ is thus actually not a signature in the true sense of the word, but it is often referred to as such in practice. The term ‘digital’ is in this case omitted, to indicate the type of procedure used.

From an informatics perspective, there are two different ways to attach a signature to a message. The first is a form of cryptographic checksum for a given data string, similar to a MAC (message authentication code), with the signature appended to the actual message (digital signature with appendix). This has the advantage that the message can be completely read without requiring prior verification of the signature. However, the drawback is that the size of the message is increased by the length of the signature, which can certainly be a consideration in the case of smart cards. This drawback can be avoided by using the second method for attaching a digital signature to a message, which is called ‘digital signature with message recovery’. In this method, the hash value of the actual message is first appended to the message, following which an input block for the digital signature algorithm is formed starting at the end of the resulting data string. This means that the digitally signed message is increased in size only by the length of the hash value, but it cannot be completely read until the digital signature has been verified. The procedure for generating a digital signature with appendix can be quite easily portrayed. First, a hash algorithm is used to form a hash value from the content of the message, which may for example be a file produced by any arbitrary word-processing program. This hash value is decrypted using an asymmetric cryptographic algorithm, such as RSA in the example shown in Figure 4.53. The result of this computation is the actual signature, which is appended to the message. The signed message can now be sent via a non-secure path to the recipient. The recipient separates the signature from the message and then compresses the message using the same hash algorithm. The digital signature is encrypted using the public key of the RSA algorithm, and the result is compared with the result of the hash computation. If both values are the same, the message has not been altered while underway; otherwise, either the message or the signature has been altered during transmission. In the latter case, authenticity is no longer assured, and it cannot be assumed that the content of the message is unaltered. The task of the smart card in this scenario is very simple. It stores at minimum the private RSAkey, and it decrypts the hash value formed from the message, which means that it generates the signature. Everything else, such as generating the hash value or subsequently verifying the signature, can in principle be performed equally well by a PC.

Still, the ideal situation would be for the smart card to receive the message via its interface, compute the hash value and then send the signed message back to the terminal. Verification of the signature could also be performed by the smart card. This procedure is naturally no more secure than just computing the signature, but it is significantly more ‘application-friendly’. This is because hash algorithms and RSA keys can be changed by simply exchanging the smart card, without any need to alter programs or data in the PC. In these two examples, the keys used to generate and verify digital signatures are global, which means that they are the same for every smart card in a particular system. If a different arrangement should be used for security reasons, so that each card has its own key for digital signatures, a scheme such as that described in Section 4.11.3 must be used. The RSA algorithm is not the only one that can be used to produce digital signatures. There is also a cryptographic procedure that has been specially developed for this application, namely the DSA (Digital Signature Algorithm). Itwas first proposed by the NIST (US National Institute of Standards and Technology) in 1991. Signatures can be both generated and verified using the DSA. In contrast to the RSA algorithm, it is largely designed such that it cannot be used for data encryption and decryption, although this has now been shown to not be true. Compared with the strong export restrictions applicable to the RSA algorithm and algorithms based on elliptic curves, such a feature would represent a major advantage for international use and/or export.